b'January 2, 2002\nAudit Report No. 02-001\n\n\nFollow-up Audit of Internal Controls\nOver the Customer Information and\nControl System for the FDIC Financial\nSystems\n\x0cFederal Deposit Insurance Corporation                                                                      Office of Audits\nWashington, D.C. 20434                                                                         Office of Inspector General\n\n\n\n\n   DATE:            January 2, 2002\n\n   TO:              Carol M. Heindel, Acting Director,\n                    Division of Information Resources Management\n\n\n   FROM:            Russell A. Rau [Electronically produced version; original signed by Russell A.\n                    Rau]\n                    Assistant Inspector General for Audits\n\n   SUBJECT:         Final Report Entitled Follow-up Audit of Internal Controls over the Customer\n                    Information and Control System for FDIC Financial Systems\n                    (Audit Report No. 02-001)\n\n   This report presents the results of our follow-up audit of internal controls over the Customer\n   Information and Control System (CICS). Our objectives were to evaluate the adequacy of the\n   installation parameters 1 used by the CICS system software for the financial systems and the\n   adequacy of access security over CICS files, resources, 2 and software monitoring products. 3 Our\n   audit scope and methodology are discussed in Appendix I.\n\n   Previously, we conducted an audit that included all of the CICS system controls, including the\n   installation parameters used by the CICS system software for the financial systems and the\n   adequacy of access security over CICS files, resources, and software monitoring products. On\n   June 19, 1997, we issued a report entitled CICS for the IBM and Amdahl Mainframe Computers.\n   The report included recommendations for further protecting the integrity and performance of\n   application programs under CICS, improving access controls, and reducing the risk of CICS\n   authorizations for a given application system interfering with or bypassing the security\n   mechanisms for other application systems under CICS control. Appendix II contains a summary\n   of the recommendations and management comments in that report.\n\n\n   INTRODUCTION\n\n   CICS is a transaction management program for mission-critical applications, such as the Bank\n   Information Tracking System, Call Processing System, and the FDIC\xe2\x80\x99s financial systems. The\n   1\n     Data (in files) or code that can be used to designate how systems are initiated. Parameters include limits on\n   operator intervention, periodic file back-ups, and security options.\n   2\n     Resources are transactions, applications, terminal devices, and communications.\n   3\n     Software monitoring products are vendor supplied programs that allow systems engineers to detect and correct\n   inefficiencies or errors in computer operations.\n\x0cFDIC\xe2\x80\x99s financial systems include the Financial Information Management System general ledger,\nthe Accounts Payable Purchase Order System, and the Electronic Procurement Routing Invoice\nSolution. The financial systems record and report all the financial activity of the Corporation.\n\nCICS provides the interface between these application programs and the computer\xe2\x80\x99s operating\nsystem. Specifically, it provides the mainframe operating system with the ability to handle\ntransactions from user terminals such as a personal computer. For example, a transaction sent\nfrom a personal computer could be a user processing an accounting entry. CICS interprets the\nuser command to process the accounting entry, calls the appropriate application program, and\npasses the user information to that program. Once the program is finished, CICS passes any\nresponse from the application program back to the user\xe2\x80\x99s personal computer. In almost all\napplication program environments, CICS involvement in the communications and tracking\nprocess is transparent to the end user.\n\nIn order to conduct these functions, CICS utilizes a System Definition File. The System\nDefinition File within CICS identifies and defines what transactions or programs are available to\nusers of the mission-critical applications. Also, the CICS software system includes very\npowerful capabilities (e.g., commands that can shut down the application systems) that must be\nappropriately controlled to protect corporate applications and data. Consequently, to ensure the\nintegrity of application programs and data, CICS must be integrated with the security software\nused on the mainframe computer.\n\nRESULTS OF AUDIT\n\nControls were not in place to protect access to the CICS System Definition File within the CICS\nsystem. As a result, over 100 non-CICS programmers had full access to the System Definition\nFile and had the capability to shut down or disrupt the systems that are critical to the FDIC\xe2\x80\x99s\nmission. This condition was brought immediately to the attention of DIRM management who\ntook appropriate action to correct the problem.\n\nOur evaluation of the installation parameters for the CICS system showed that the parameters\nused in activating the financial systems were consistent with guidelines and recommendations\nprovided by the product\xe2\x80\x99s vendor. 4 We also concluded that other access security controls were\nadequate for CICS system files, resources, and software monitoring products used by the FDIC\nfinancial systems.\n\nACCESS TO CICS SYSTEM DEFINITION FILE\n\nOver 100 non-CICS programmers had full access to the CICS System Definition File. They had\nread, write, and execute capabilities when only the duties of CICS system programmers require this\nlevel of access. Access rules 5 that were in place to limit the number of programmers with access to\nthe CICS System Definition File and its maintenance program were negated when the FDIC installed\nnew broad access rules within the security program to permit programmers to access less sensitive\n\n4\n The vendor for CICS is International Business Machines, Incorporated.\n5\n Access rules are instructions coded into a security system to designate which users are allowed access to systems\nand information.\n\n                                                         2\n\x0csystems and information. Upon accessing the System Definition File, programmers had the\ncapability to shut down or disrupt the systems that are critical to the FDIC\xe2\x80\x99s mission. Consequently,\nexcessive access and authority to modify software increases the risk that unapproved changes can be\nmade that could compromise data integrity, accuracy, and availability.\n\nBackground\n\nOffice of Management and Budget Circular A-130, Appendix III, section B.(a) 2. (c) states\n\n       In every general support system, a number of technical, operational, and management\n       controls are used to prevent and detect harm. Such controls include individual\n       accountability, \xe2\x80\x9cleast privilege,\xe2\x80\x9d and separation of duties. Least privilege is the practice\n       of restricting a user\xe2\x80\x99s access (to data files, to processing capability, or to peripherals) or\n       type of access (read, write, execute, delete) to the minimum necessary to perform his or\n       her job.\n\nAlso, FDIC Circular 1360.15 requires the protection of sensitive automated information systems\nand data from unauthorized access, disclosure, and use. Sensitive information systems include\nthose systems that process financial information and data protected from disclosure by any\napplicable law, regulation, or order.\n\nAdequacy of Access Controls\n\nOver 100 non-CICS programmers had the capability to read, write, and execute commands to the\nCICS System Definition File. However, only the duties of CICS system programmers require\nthis level of access. CICS programmers require read, write, and execute access in order to\nperform routine system maintenance. The non-CICS programmers with access to the System\nDefinition File had responsibilities that were not related to CICS or the System Definition File.\n\nAccess rules that were in place to limit the number of programmers with access to the CICS System\nDefinition File and its maintenance program were negated when the FDIC installed new broad\naccess rules within the security program to permit programmers to access less sensitive systems and\ninformation. The new broad access rules superceded all other rules, including the specific access\nrules to limit access to the CICS System Definition File. A broad access rule will supercede all other\nrules unless a rule is installed that explicitly denies access to specific systems and information.\nConsequently, the broad access rules designated multiple non-CICS programmers with the capability\nto access the sensitive CICS System Definition File.\n\nThese non-CICS programmers had the capability to shut down or disrupt the critical FDIC systems.\nFor instance, each of the programmers had the ability to access a maintenance program and modify\nuser group definitions within the System Definition File. This would permit the programmers to add\nthemselves or others to a user group that is authorized to execute powerful CICS system commands\nsuch as the CICS master terminal transaction (CEMT) used to shut down the CICS system at any\ntime. Upon executing the CEMT command and shutting down CICS, other users would not be able\nto enter commands or transactions to the financial systems, Bank Information Tracking System, or\nany of the other critical systems. As a result, the risk of this occurrence or other disruptions\n\n\n                                                  3\n\x0cincreases as the number of users with full access to the System Definition File increases.\n\nThis condition also existed during our previous audit, and it was included in our report, CICS for\nthe IBM and Amdahl Mainframe Computers, dated June 19, 1997. To resolve that finding,\nDIRM implemented Access Rules to limit the access to four CICS programmers. However, the\naccess rules implemented were overridden by additional changes made since that time.\n\n\nRecommendations\n\nWe recommend that the Acting Director, DIRM:\n\n(1) strictly limit access to the CICS System Definition File and its maintenance program to CICS\n    programmers with responsibilities that warrant that access and\n(2) implement access rules to ensure that future changes to the security database do not\n    inadvertently negate the access rules intended for the CICS System Definition File and its\n    maintenance program.\n\nCORPORATION COMMENTS AND OIG EVALUATION\n\nWe notified FDIC officials of our finding during the fieldwork phase of our audit. They\nresponded by installing security restrictions that allow only four CICS Systems Programmers to\nhave full read, write, allocate, and execute access. Further, three other system programmers for\nthe mainframe operating system will have only read and execute access to the CICS System\nDefinition File. FDIC officials replied that additional precautions have been implemented to\nensure that these specific security changes cannot be overridden6 and that the new changes have\nbeen documented to indicate the need for restricted access. Later, on December 20, 2001, we\nprovided our draft report to the Acting Director of DIRM and her office responded that they had\nno further comments.\n\nFDIC actions during the audit were responsive to our recommendations. In addition, we\ndetermined through our review of the applicable mainframe files that corrective actions had been\ncompleted and were effective. The two recommendations in our report are closed for reporting\npurposes.\n\n\n\n\n6\n DIRM installed \xe2\x80\x9cprevent rules\xe2\x80\x9d for the CICS System Definition and utility files. Prevent rules instruct the security\nsystem to ignore any other broad access rules that do not specifically address these files.\n\n                                                         4\n\x0c                                                                                   APPENDIX I\nScope and Methodology\n\nThe audit scope focused on the CICS controls that control transactions for the financial\napplication systems, and we reviewed the security of other systems that share files or\ncommunicate with the financial systems to ensure that such arrangements did not bypass controls\nover the financial systems. We reviewed the installation commands (job control language) and\nCICS installation parameters. We determined the identity of installation files for the CICS and\nthe financial systems and evaluated the contents of all files by directly accessing the mainframe\ncomputer. Installation commands and parameters were evaluated using the recommended\nprocedures contained in the vendor\xe2\x80\x99s publications.\n\nWe also reviewed access security over files and resources, intersystem communications, and the\ninterfaces between CICS and products used to secure and monitor CICS resources. We\nconducted tests of CICS and vendor transaction commands such as those used in modifying user\ncapabilities. Selected commands were tested on the financial systems to verify that proper\naccess security controls were functioning, and we used vendor-supplied utilities to ascertain the\ntypes of access available to critical files and resources. We obtained a copy of the CICS System\nDefinition File and evaluated the resources available to users of the financial systems and the\nextent of communication allowed with other corporate systems.\n\nWe conducted our audit from June 4, 2001 to August 15, 2001 in accordance with generally\naccepted government auditing standards.\n\n\n\n\n                                                5\n\x0c                                                                                   APPENDIX II\n\nPrior Audit Report entitled CICS for the IBM and Amdahl Mainframe\nComputers, dated June 19, 1997\n\nSummary of Recommendations and Management Comments\n\nOur audit report presented 14 recommendations for further protecting the integrity and\nperformance of application programs under CICS, improving access controls, and reducing the\nrisk of CICS authorizations for a given application system interfering with or bypassing the\nsecurity mechanisms for other application systems under CICS control.\n\n\xc3\x98 Protection of the integrity and performance of the application programs under CICS\n\n   The report recommended changes to the sequence of installing the security programs and CICS\n   parameters during the system start-up. We also recommended the elimination of unnecessary\n   files that were included in the system start-up, implementation of the security controls used to\n   protect powerful system programs, and the standardization and centralization of CICS resources.\n\n\xc3\x98 Adequate access controls\n\n   Recommendations addressed improvements in controlling access to the CICS System Definition\n   Files and to the maintenance programs that service these files, restricting the number of users\n   with access to powerful CICS system and third-party vendor transactions/utility program\n   libraries, and preventing users from using unsecured sign-on screens.\n\n\xc3\x98 Reduce the risk of CICS authorizations for a given application system interfering with or\n  bypassing the security mechanisms for other application systems under CICS control\n\n   Recommendations included eliminating the use non-production files in a production\n   application and removing the communication links from one CICS production system to a\n   non-production system.\n\nManagement concurred with all 14 recommendations and implemented corrective actions to\naddress the cited deficiencies.\n\n\n\n\n                                                6\n\x0c'